PatchSiren cyber security CVE debrief
CVE-2026-0149 Google CVE debrief
CVE-2026-0149 is a vulnerability in the RtpSession::rtpSendRtcpPacket function, which could lead to a heap buffer overflow. This could result in remote code execution with no additional execution privileges needed. User interaction is not required for exploitation. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-0149) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-0149).
- Vendor
- Product
- Android
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
This vulnerability may impact users of Android devices. For more information, refer to [ref-4](https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01).
Technical summary
A heap buffer overflow vulnerability exists in the RtpSession::rtpSendRtcpPacket function. This could allow for remote code execution without requiring additional execution privileges or user interaction.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates from the vendor as soon as they become available.
- Refer to [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-0149) for official CVE details.
- Check [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-0149) for NVD vulnerability details and updates.
Evidence notes
The vendor and product information is currently unknown. However, there is a reference to Android in the evidence.
Official resources
-
CVE-2026-0149 CVE record
CVE.org
-
CVE-2026-0149 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-0149 was published on 2026-06-16T20:16:25.620Z and last modified on 2026-06-16T20:42:25.013Z.